Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 01:31
Static task
static1
Behavioral task
behavioral1
Sample
eed0ffd9b9cda03fec99477db1c86c5b_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eed0ffd9b9cda03fec99477db1c86c5b_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
eed0ffd9b9cda03fec99477db1c86c5b_JaffaCakes118.dll
-
Size
4.9MB
-
MD5
eed0ffd9b9cda03fec99477db1c86c5b
-
SHA1
64b411590a05a21cd24caf2205c6a9f80051948f
-
SHA256
073c2866f9495a3ae8edb03e25acac783faf86e5953679fef3cf46708a0e139d
-
SHA512
7352ea4c9c3ada7e24fb0df8d893fba038307864c0f49a74ad14dce56f5c08193d89109bd2aafd5393e088863148189bb024071ebe7d764c6376e72fa29b76f7
-
SSDEEP
6144:IS44io4Ukuqb0WFGtBFgN/1aAgrr8gFpojB:1Qo4UkuqAW04Qrr8gFq
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2292 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bniasdo.dll rundll32.exe File created C:\Windows\SysWOW64\bniasdo.dll rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\bniasdo.dll" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2292 1992 rundll32.exe 30 PID 1992 wrote to memory of 2292 1992 rundll32.exe 30 PID 1992 wrote to memory of 2292 1992 rundll32.exe 30 PID 1992 wrote to memory of 2292 1992 rundll32.exe 30 PID 1992 wrote to memory of 2292 1992 rundll32.exe 30 PID 1992 wrote to memory of 2292 1992 rundll32.exe 30 PID 1992 wrote to memory of 2292 1992 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eed0ffd9b9cda03fec99477db1c86c5b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eed0ffd9b9cda03fec99477db1c86c5b_JaffaCakes118.dll,#12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2292
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.5MB
MD513f4c94c6d448e0f20456bfcd39389b3
SHA1530756c8cb0193a8bc5bfb59e53c518693e6e286
SHA256c328da73659c19d71dad21684a34ffd99fb8c9e42b53539821008ce41e7078ec
SHA51281f19cda55dcf3bb27b435aceb2ffa0f51b588c4b914ced346bdf44a31e6ab57a0bbcabd5e3f204e21c64eb8698f851a335d3183f8b59df3054ccdf0f5db762a